Home » IT - Microsoft » Interforest Migration with ADMT 3.2 – Part 2

Interforest Migration with ADMT 3.2 – Part 2

Escribe tu dirección de correo electrónico para suscribirte a este blog, y recibir notificaciones de nuevos mensajes por correo.

Join 5 other followers

February 2016
M T W T F S S
« Nov   Mar »
1234567
891011121314
15161718192021
22232425262728
29  

NO! A LOS TOROS

Disclaimer

All messages posted to this blog are provided "AS IS" with no warranties, and confer no rights. The content of this site are personal opinions and might not represent the Microsoft Corporation view. Regarding any sample code that we provide: This Sample Code is provided for the purpose of illustration only and is not intended to be used in a production environment. THIS SAMPLE CODE AND ANY RELATED INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE. This blog serves 2 purposes. Firstly, I want to share information with other IT pros about the technologies we work with and how to solve problems we often face. Secondly, I use my blog as a notebook. There's so much to learn and remember in our jobs that it's impossible to keep up. By blogging, I have a notebook that I can access from anywhere. Anything you do to your IT infrastructure, applications, services, computer or anything else is 100% down to your own responsibility and liability. Mcselles bears no responsibility or liability for anything you do. Please independently confirm anything you read on this blog before doing whatever you decide to do.
Advertisements

 

Table of Contents

 

Creating Trust Relationship

Click Start, then Administrative Tool, open Active Directory Domains and Trusts.

 

clip_image001

 

Right click on the domain (Contoso.com), then click Properties.

 

clip_image002

 

Click Trusts tab, then select New Trust.

 

clip_image003

 

On the Welcome to the New trust Wizard page, click Next.

 

clip_image004

 

On the Trust Name page, write target DNS domain name (Wiki.com), then click Next.

 

clip_image005

 

On the Trust Type page, select Forest trust, then click Next.

 

clip_image006

 

On the Direction of Trust page, select Two-way, then click Next.

 

clip_image007

 

On the Sides of Trust page, select Both this domain and the specified domain, then click Next.

 

clip_image008

 

On the User Name and Password page, write domain administrator credentials for the target domain (Wiki.com).

 

clip_image009

 

On the Outgoing Trust Authentication Level-Local Forest page, select Forest-wide authentication, then click Next.

 

clip_image010

 

On the Outgoing Trust Authentication Level-Specified Forest page, select Forest-wide authentication, then click Next.

 

clip_image011

 

On the Trust Selections Complete page, review your settings, then click Next.

 

clip_image012

 

On the Trust Creation Complete page, review your settings, then click Next.

 

clip_image013

 

On the Confirm Outgoing Trust page, select Yes, confirm the outgoing trust, then click Next.

 

clip_image014

 

On the Confirm Incoming Trust page, select Yes, confirm the incoming trust, then click Next.

 

clip_image015

 

On the Completing the New Trust Wizard, click Finish.

 

clip_image016

 

Click OK to close Properties page.

 

 

Now, we need to validate Trust Relationship on Windows Server 2008 R2 Domain Controller (Wiki.com).

Click Start, then Administrative Tool, open Active Directory Domains and Trusts.

 

clip_image017

 

Right click on the domain (Wiki.com), then click Properties.

 

clip_image018

 

Click Trusts tab, select target domain (Contoso.com) in Domains trusted by this domain (outgoing trusts) box, then click Properties.

 

clip_image019

 

On General tab, click Validate.

 

clip_image020

 

Select Yes, validate the incoming trust. Write domain administrator credentials for the source domain (Contoso.com), then click OK.

 

clip_image021

 

Now, you can see The trust has been validated. It is in place and active. Click OK.

 

clip_image022

 

Now, you see information about update the name suffix routing, click Yes.

 

clip_image023

 

Click OK and close Properties page.

 

 

Click Trusts tab, select target domain (Contoso.com) in Domains trusted by this domain (incoming trusts) box, then click Properties.

 

clip_image024

 

On General tab, click Validate.

 

clip_image025

 

Select Yes, validate the incoming trust. Write domain administrator credentials for the source domain (Contoso.com), then click OK.

 

clip_image026

 

Now, you can see The trust has been validated. It is in place and active. Click OK.

 

clip_image027

 

Now, you see information about update the name suffix routing, click Yes.

 

clip_image028

 

Click OK and close Properties page.

 

clip_image029

 

Click OK and close Wiki.com Properties page.

 

clip_image030

 

 

 

Configuration DNS Suffix Search List

Now, we need clients from domains should be able to resolve FQDNs from the other. We use GPO and set DNS Suffix search List for clients.

 

On DC2008R2 domain controller in Wiki.com, click Start, Administrative Tools, then click Group Policy Management.

 

clip_image031

 

Because I used TestLAB, I use Default Domain Policy. Please, for Real Scenario, create new GPO.

Right click on Default Domain Policy, then click Edit.

 

clip_image032

 

In Group Policy Management Editor, go to Computer Configuration\Policies\Administrative Templates\Network\DNS Client. Right click DNS Suffix Search List, and then click Edit.

 

clip_image033

 

On the DNS Suffix Search List Properties page, select Enabled. In the DNS Suffixes box, type the Wiki.com,Contoso.com, then click OK.

 

clip_image034

 

Close all, open Command prompt and run GPUPDATE /force command.

 

clip_image035

 

On DC2003 domain controller in Contoso.com, click Start, Administrative Tools, then click Group Policy Management.

 

clip_image036

 

Again, because I used TestLAB, I use Default Domain Policy. Please, for Real Scenario, create new GPO.

Right click on Default Domain Policy, then click Edit.

 

clip_image037

 

In Group Policy Object Editor, go to Computer Configuration\Administrative Templates\Network\DNS Client. Right click DNS Suffix Search List, and then click Properties.

 

clip_image038

 

On the DNS Suffix Search List Properties page, select Enabled. In the DNS Suffixes box, type the Contoso.com,Wiki.com, then click OK.

 

clip_image039

 

Close all, open Command prompt and run GPUPDATE /force command.

 

clip_image040

 

Now, we test GPO configuration on Win7 client. Close all, open Command prompt and run IPCONFIG /ALL command.

You can show, Contoso.com & Wiki.com in DNS Suffix Search List.

 

clip_image041

 

Installing SQL Express

ADMT v3.2 requires a preconfigured instance of SQL Server for its underlying data store. You should use SQL Server Express. When you use one of the following versions of SQL Server Express, ADMT installation enforces the following service pack requirements:

  • SQL Server 2005 Express must be installed with Service Pack 3 (SP3) or later.
  • SQL Server 2008 Express must be installed with Service Pack 1 (SP1) or later.

Double click on SQLEXPR_x64_ENU.exe and run application.

 

clip_image042

 

 

clip_image043

 

 

 

On right panel, click Installation, then on left side click New SQL Server stand-alone installation or add features to an existing installation.

 

 

 

clip_image044

 

On the Setup Support Rules page, click OK.

 

clip_image045

 

On the Product Key page, click Next.

 

clip_image046

 

On the License Terms page, select I accept the license terms box, then click Next.

 

clip_image047

 

On the Setup Support Files page, click Install.

 

clip_image048

 

On the Setup Support Rules page, click Next.

 

clip_image049

 

On the Feature Selection page, select Database Engine Service, then click Next.

 

clip_image050

 

On the Instance Configuration page, accept default names and setting, click Next.

 

clip_image051

 

On the Disk Space Requirements page, click Next.

 

clip_image052

 

On the Server Configuration page for SQL Server Service, use your ADMT Service Account (because is my TestLAB, I used Wiki\administrator account), then click Next.

 

clip_image053

 

On Database Engine Configuration page, select Windows authentication Mode, then in Specify SQL Server administrators add Wiki\Administrator account. Click Next.

 

clip_image054

 

On Error and Usage Reporting page, click Next.

 

clip_image055

 

On Installation Rules page, click Next.

 

clip_image056

 

On Ready to Install page, click Install.

 

clip_image057

 

On Installation Progress page, click Next.

 

clip_image058

 

On Complete page, click Close.

 

 

 

 

Installing ADMT 3.2

Now, we install ADMT 3.2 on target domain (Wiki.com). Keep in mind, You can install ADMT 3.2 only on Windows 2008 R2 servers.

On Welcome to the Active Directory Migration Tool Installation page, click Next.

 

clip_image059

 

On License Agreement page, select I Agree, then click Next.

 

clip_image060

 

On Customer Experience Improvement Program page, click Next.

 

clip_image061

 

On Database Selection page, in Database write your SQL Database Instance, my instance is .\SQLEXPRESS, then click Next.

 

clip_image062

 

 

clip_image063

 

On Database Import page, select No, do not import data from an existing database (Default), then click Next.

 

clip_image064

 

 

clip_image065

 

Review information, then click Finish.

 

clip_image066

 

 

 

ADMT error: Unable to check for failed actions. :DBManager.IManageDB.1

When installing Active Directory Migration Tool (ADMT) 3.2 on a Windows Server 2008 R2 domain controller and using SQL Express 2008 with SP1 and SQL 2008 Cumulative Update 4, the installation completes without errors. However, the dialog "Active Directory Migration Tool Installation Wizard" is blank when the install is finished.

 

clip_image067

 

When then attempting to run the ADMT console, you receive error:

clip_image068

 

The MMC console then displays:

clip_image069

 

There is a code defect in how ADMT interoperates with SQL Express 2008 SP1 on domain controllers resulting in the "SQLServerMSSQLUser$ComputerName$InstanceName" group not being created. This group is required by ADMT to configure specific permissions during the ADMT install and allows the ADMT database to be created in the SQL instance. ADMT expects the group to be present, which leads to the blank dialog and an incomplete installation.

 

Resolution:

 

ADMT 3.2 installation incomplete, MMC console error "cannot open database ‘ADMT’ requested by the login"

clip_image070

 

 

ADMT 3.2: Common Installation Issues

You can find Common Installation Issues about ADMT 3.2 in this link:

 

ADMT 3.2: Common Installation Issues – NedPyle [MSFT]

clip_image070[1]

 

Creating Encryption Key

Before you install ADMT Password Migration DLL onto domain controller in the source domain (Contoso.com), you need to create an encryption key from the domain controller running ADMT in the target domain (Wiki.com). Run command prompt with admin privilege and type:

 

ADMT Key /Option:Create /SourceDomain:Contoso.com /KeyFile:C:\FMP\FileMigPass.pes /KeyPassword:Password01

 

 

clip_image071

 

 

 

ADMT Migration Account

In this article, I did not create ADMT Service Account, because I used my TestLAB and for ADMT service account, I used target domain administrator account (Wiki\Administrator). Please, for ADMT Service Account in Real Scenario, use Santhosh Sivarajan – MVP article:

 

ADMT Service Account – Permission and Configuration

clip_image070[2]

 

On DC2003 in Contoso.com, click Start, Administrative Tools, then select Active Directory Users and Computers.

In left panel, select Bultin, then in right panel right click on Administrators group, select Properties.

 

clip_image072

 

Select Members tab, click Add and add Wiki\Administrator account to this group.

 

clip_image073

 

Keep in mind, the ADMT Migration Account that you use to migrate Clients and Member Servers must have Local Administrator rights on Clients and Member Servers in the the source domain (Contoso.com). You can use Group Policy (Restricted Groups).

 

Click Start, Administrative Tools, then click Group Policy Management.

 

 

clip_image074

 

Again, because I used TestLAB, I use Default Domain Policy. Please, for Real Scenario, create new GPO.

On left panel, right click on Default Domain Policy, then click Edit.

 

clip_image075

 

Go to Computer Configuration\Windows Settings\Security Settings\Restricted Groups, right click on Restricted Groups, click Add Group.

 

clip_image076

 

Select Browse, then add Wiki\Domain Admins group. Click OK.

 

clip_image077

 

Click OK.

 

clip_image078

 

On This group is a member of panel, select Add.

 

clip_image079

 

Select Browse, then add Contoso\Administrators group. Click OK.

 

clip_image080

 

Click OK.

 

clip_image081

 

Click OK.

 

clip_image082

 

Close Group Policy Object Editor.

 

clip_image083

 

Open Command Prompt and run this command:

 

GPUPDATE /FORCE

 

clip_image084

 

Now, we check GPO configuration on Win7 client. As you see, Wiki\Domain Admins is Local Administrator on Win7.

 

clip_image085

 

 

 

Installing ADMT Password Migration DLL

Before you migrate passwords, you will need to install the ADMT Password Migration DLL onto domain controller in the source domain (Contoso.com).

On Welcome to the ADMT Password Migration DLL Installation Wizard page, click Next.

 

clip_image086

 

On License Agreement page, select I accept License Agreement, then click Next.

 

clip_image087

 

Select Browse, choose the key file (FileMigPass.pes) you created on the ADMT machine (DC2008R2).

 

clip_image088

 

 

clip_image089

 

Click Next.

 

clip_image090

 

Write the password you used when creating the key file (FileMigPass.pes), then click Next.

clip_image091

 

On Start Installation page, click Next.

 

clip_image092

 

Run the PES service as an ADMT account in the target domain (Wiki.com), in my case (Wiki\Administrator). Click OK.

 

clip_image093

 

Click OK.

 

clip_image094

 

The installation is complete, Click Finish.

 

clip_image095

 

You will need to restart the domain controller. Click Yes.

 

clip_image096

 

 

 

Starting Password Export Server Service

After restarting domain controller, you will need to manually start the Password Export Server Services.

 

Click Start, Administrative Tools, then click Services.

 

clip_image097

 

Right click on Password Export Server Services, then click Start.

 

clip_image098

 

Now, the Password Export Server Services started.

 

clip_image099

 

 

From <http://social.technet.microsoft.com/wiki/contents/articles/16208.interforest-migration-with-admt-3-2-part-2.aspx>

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Microsoft on the Issues

News and perspectives on legal, public policy and citizenship topics

Mike Crowley's Whiteboard

“There are no limits to what you can accomplish when you are supposed to be doing something else."

T.B.D.

There Be Dragons

Ken Cenerelli

My life in software development

VMware, Windows, Virtualization (Servers & Desktops)

VMware, Windows, Virtualization (Servers & Desktops)

Just a random "Microsoft Server / Client Tech" info..

"Feeding Your Training and Technology Obsessions"

WordPress.com

WordPress.com is the best place for your personal blog or business site.

DocSharing

Documentación técnica, notas y apuntes sobre Administración de Sistemas, Servidores, Redes y más

Microsoft Taste

Mary's Blog

%d bloggers like this: